WordPress has recently been subject to a brute force attack where sites using the default “admin” have been hacked. You can read about the particulars of the attack here. Whether or not you’re using the default username or another common one, it’s probably pertinent to review the security setup of your WordPress sites. Here are a couple of things you can do in a few minutes that will greatly improve the security of your site.
Change your username from “admin”
WordPress now enables the username to be changed from the default “admin” during installation. I highly recommend you do this. If your installation is already complete WordPress doesn’t allow you to change usernames directly. There are two fairly simple work arounds.
Add a new user & delete the “admin” user
- Select User from the main WordPress menu
- Select Add New
- Enter your user details, making sure to:
- Hit the blue Add New User button
- Log out of WordPress, then log back in with the new user details you just created
- Navigate to the User screen again
- Tick the little box next to the user with username “admin”
- Delete this user (under Bulk Actions). You will be asked if you’d like to delete or reassign this users posts. Make sure you reassign them!! Alternatively, you can change the admin user’s role to subscriber.
Install a plugin to do it for you
There are a number of plugins, like Admin username changer, that will allow you to change a username once the user has been set up.
Change your passwords regularly
Once you’ve got the username part sorted, it’s still important to change passwords on a regular basis. Passwords are a pain for all of us. Every account needs a different one and they ask us to try to remember a random combination of numbers, letters, caps and punctuation. A password manager is a must. I use 1Password, which is fantastic, but there are plenty of others.
Much to my delight, I stumbled across a better password generation method last week. I’m beginning to use this method for sites that don’t require all the hieroglyphics.